Hey Buck, dnsmasq blocks all IPv4 address replies in the "private" subnets when enabling stop-dns-rebind. For IPv6, it blocks only the IPv4-mapped address ranges matching said private subnets.
Neither ULAs nor LLs (link-locals) are blocked in the IPv6 range. I agree this should be added. I can provide a patch for this, maybe tomorrow, if this is wanted. However, I'm afraid it might already be too late for 2.81, cfm. Simon. Best, Dominik Am 11. März 2020 00:47:02 MEZ schrieb buckh...@weibsvolk.org: >I am using dnsmasq version pi-hole-2.80 as embedded in Pi-hole, with my > >router set as its sole upstream server (server=192.168.178.1#53). > >When evaluating DNS rebind protection provided by dnsmasq (by adding >stop-dns-rebind), I observed that dnsmasq correctly detects and >suppresses IPv4 answers, but fails to do the same for IPv6 ULA >addresses >(maybe even for IPv6 in general). > >E.g. "nslookup wpad.fritz.box" from a Windows client results in the >following log entries: > >09:58:08 dnsmasq[20063]: query[A] wpad.fritz.box from 192.168.178.200 >09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1 >09:58:08 dnsmasq[20063]: possible DNS-rebind attack detected: >wpad.fritz.box >09:58:08 dnsmasq[20063]: query[AAAA] wpad.fritz.box from >192.168.178.200 >09:58:08 dnsmasq[20063]: forwarded wpad.fritz.box to 192.168.178.1 >09:58:08 dnsmasq[20063]: reply wpad.fritz.box is >fd00::2ba:dcff:feca:fe00 > >Shouldn't IPv6 ULA and link-local addresses also be suppressed? >Does dnsmasq exhibit this behaviour by intention, or could this be seen > >as a possible gap in rebind protection? > >Kind regards, > >Buck > > > >_______________________________________________ >Dnsmasq-discuss mailing list >Dnsmasq-discuss@lists.thekelleys.org.uk >http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss